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SHOULD  INFORMATION-WAR- 
FARE  techniques  be  viewed  as 
weapons  or  as  another  instrument 
of  foreign  policy?  This  article  briefly 
delves  into  the  treaties  and  laws  governing 
warfare  from  an  information-war  perspective. 
Do  these  treaties  and  criminal  laws  prohibit 
the  bulk  of  the  most  technologically  effective 
techniques  from  being  used,  particularly  dur 
ing  peacetime? 

By  and  large,  many  of  the  legal  parame 
ters  of  information  warfare  (IW)  are,  as  yet, 
ambiguous.  This  uncertainty  can  only  be  re 
solved  through  open  and  frank  discussion  of 


just  where  information-warfare  operations  fit 
into  foreign  policy,  international  relations, 
and  the  international  legal  environment.  The 
problem  is  that  a  nation  or  actor  may  well 
take  advantage  of  the  ambiguities  that  exist 
and  force  us  to  attempt  to  resolve  these  is 
sues  long  before  we  are  prepared  to  even 
address  them.  This  article  is  a  modest  step 
to  suggest  a  paradigm  for  analysis  of  these 
issues  before  we  find  ourselves  backed  into 
the  proverbial  corner  and  are  forced  to 
choose  between  no  response  and  a  vigi¬ 
lante-style  response. 
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Do  these  treaties  and  criminal  laws 
prohibit  the  bulk  of  the  most  techno  - 
logically  effective  techniques  from 
being  used,  particularly  during 
peacetime? 


What  Is  “Information  Warfare”? 

Although  it  seems  clear  atfirst  blush,  the 
term  information  warfare  means  different 
things  to  different  people.  There  is  little 
agreement  on  an  accepted  definition. Infor¬ 
mation  warfare ,  attack-mode  and  defensive¬ 
mode  warfare,  electronic  warfare,  cyberwar¬ 
fare,  cyberwar,  soft  war,  hacker  warfare,  and 
low-intensity  warfare  are  just  a  few  of  the 
terms  that  are  used  in  information-warfare 
circles  to  describe  the  same  general  con 
cept.1 

Sun  Tzu  thought  of  information  warfare 
as  including  all  elements  necessary  to  win 
without  fighting.  He  advised  that  you  should 
“assess  your  opponents;  cause  them  to  lose 
spirit  and  direction  so  that  even  if  the  oppos 
ing  army  is  intact  it  is  useless.’5  This  sug¬ 
gests  that  the  scope  of  information  warfare 
has,  from  the  very  beginning,  been  all-inclu 
sive  and  embraces  every  aspect  of  informa 
tion  use  that  would  permit  war  without  battle. 
This  seems  to  include  the  modern  notions  of 
human  intelligence  (HUMINT),  electronic  in 
telligence  (ELINT),  communications  intellt 
gence  (COMINT),  psychological  operations 
(PSYOP),  and  every  other  method  of  gath 
ering  and  affecting  information  that  may  be 
used  to  the  advantage  of  one  nation  or  to  the 
detriment  of  another  during  a  conflict. 

Gen  Ronald  R.  Fogleman,  former  Air 
Force  chief  of  staff,  has  referred  to  the  infor 
mation  explosion  and  the  proliferation  of  in 
terest  in  information  operations  as  the  “fifth 
dimension  of  warfare.’8  He  describes  the 
land,  sea,  air,  and  space  as  the  first  four  d+ 
mensions.4  He  characterized  information 
warfare  as  “any  action  to  deny,  exploit,  cor 
rupt,  or  destroy  the  enemy’s  information  and 
its  functions;  protecting  ourselves  against 


those  actions;  and  exploiting  our  own  mili¬ 
tary  information  functions.’6 

Alvin  and  Heidi  Toffler  were  among  the 
first  to  meaningfully  address  the  modern  in¬ 
formation  explosion  and  its  impact  upon  so 
ciety.  They  speak  of  our  next  conflict  as 
being  an  “anti-war.”  They  characterize  the 
latest  information  revolution  as  the  “informa 
tion  age”  much  like  the  agricultural  age  and 
the  industrial  age.6  They  recognize  that 
knowledge  is  the  “central  resource  of  de- 
structivity  just  as  it  is  the  central  resource  for 
productivity.7  “Knowledge  is  what  the  anti¬ 
wars  of  tomorrow  will  be  about.’8  The  Tof- 
flers’  opinions  suggest  that  the  breadth  of  in¬ 
formation  warfare  is  all-encompassing, 
including  all  forms  of  knowledge. 

The  National  Defense  University  (NDU) 
defines  information  warfare  as  the  “aggres 
sive  use  of  information  means  to  achieve 
national  objectives  ...  the  sequence  of  ae 
tions  undertaken  by  all  sides  of  a  conflict  to 
destroy,  degrade,  and  exploit  the  information 
systems  of  their  adversaries,”  and  it  also  in¬ 
cludes  actions  intended  to  protect  systems 
against  hostile  actions.9  The  Information 
Warfare  Center  at  Kelly  AFB,  Texas,  casts  a 
wide  net  in  its  definition  of  information  war 
fare.  Its  view  is  that  information  warfare  is 
“broadly  considered  to  be  the  use  of  com 
puter,  satellite,  telephone  and  other  systems 
to  damage,  destroy,  degrade,  exploit  and  in 
terfere  with  command  and  control  (and 
other)  systems  of  an  adversary  or  potential 
adversary  and  the  use  of  such  techniques  to 
deny  an  enemy  or  a  potential  enemy  the 
ability  to  do  damage,  destroy,  degrade,  ex 
ploit  or  interfere  with  similar  systems  owned 
and  used  by  the  US.”10 

This  view,  and  an  industrial  or  commercial 
notion  of  “information  assurance”  or  defen 
sive  methods  to  protect  information  assets, 
are  probably  the  best  conceptualizations  we 
can  adopt  to  describe  the  specific  military  in 
formation  environment  relevant  to  the  issues 
that  follow.  It  is  the  one  that  is  adopted  for 
the  remainder  of  this  article.  However,  IW  is 
generally  much  broader  in  scope  than  those 
technology-oriented  aspects  relevant  here. 
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“What  is  an  act  of  war  in  cyberspace?  Is  a  personal  computer  or  U nix- based  system  a  'weapon'?  Is  hacking  through 
the  communications  systems  of  a  hostile  nation  an  'attack'?” 


What  Can  the  United  States 
Legitimately  Do? 

The  resolution  of  this  issue  requires  an 
exhaustive  search  for  guidance.  Space  law, 
telecommunications  law,  international  law, 
criminal  law,  and  the  Law  of  Armed  Conflict 
(LOAC)  are  all  applicable  to  some  degree. 
One  must  examine  these  sources  as  a 
whole  body  of  law  in  order  to  derive  a  valid 
and  effective  framework  for  resolving  this 
issue. 

Laws  bind  the  nation  that  created  the  law, 
but  they  generally  do  not  bind  other  nations. 
Laws  can  be  enforced  in  the  court  system  of 
the  country  that  has  jurisdiction  over  the  of 
fense.  Treaties  are  agreements  between  na 
tions  regarding  issues  that  will  have  some 
type  of  mutual  impact  upon  them.  Treaties 
are  essentially  contracts  between  nations 
and  bind  only  signatory  nations.  Customary 
laws  are  the  unwritten  rules  by  which  na 


tions  interact.  Treaties  and  customary  laws 
are  enforced  in  a  variety  of  ways  through  the 
International  Court  of  Justice  (ICJ),  domestic 
law,  arbitration,  or  the  convoluted  political 
process,  for  example. 

Does  the  UN  Charter  Apply 
to  Information  Warfare? 

The  initial  treaty  that  one  thinks  of  when 
considering  international  issues  and  conflict 
is  the  UN  Charter.  Unfortunately,  it  was 
drafted  in  terms  of  armed  aggression,  not  in¬ 
formation  wars.  The  UN  Charter  provides  for 
the  relationships  of  nations  in  joint,  multina 
tional  activities  of  diverse  types,  not  just  in 
times  of  war.11  Article  2(4)  of  the  charter  indi¬ 
cates  that  “all  members  shall  refrain  . . .  from 
the  threat  or  use  of  force  against  the  territo 
rial  integrity  or  political  independence  of  any 
state.”  Two  ICJ  cases,  the  Corfu  Channel 
case  and  the  Nicaragua  case,1 2  suggest  that 


88  AIRPOWER  JOURNAL  SUMMER  1999 


Article  2(4)  of  the  UN  Charter  is  violated  any 
time  a  country  resorts  to  aggression  in  an  at 
tempt  to  force  another  country  to  undertake 
a  particular  action.  This  is  a  codification  of 
international  relations  reflecting  a  concept 
transcending  treaties — the  manifestation  of 
the  fundamental  notion  of  sovereignty.  This 
age-old  concept  remains  as  strong  as  ever 
in  guiding  the  course  of  international  rela 
tions  as  well  as  both  domestic  and  foreign 
policy.  The  concept  is  a  fundamental  starting 
point  for  any  analysis  of  international  law  is 
sues. 

Does  Space  Law  Apply 
to  Cyberspace? 

This  question  is  easy  to  answer  in  tradf 
tional  lawyer’s  terms:  It  depends.  It  is  dan 
gerous  to  simply  equate  outer  space  with  cy 
berspace.  Although  some  people  may 
conceptualize  both  as  a  free  space  without 
territorial  boundaries,  that  approach  may  run 
afoul  of  various  laws,  treaties,  and  customs. 
Regardless  of  one’s  interpretation  of  cyber 
space,  the  basic  relationship  is  clear:  A  per 
son  at  one  location  is  using  a  computer  to 
negatively  impact  another  individual  or  orga 
nization  at  another  location.  Telecommun-i 
cations  has  long  been  viewed  as  a  medium, 
not  a  location.  This  traditional  analysis  views 
the  use  of  computers  for  “information  war 
fare”  as  simply  the  utilization  of  a  more  ad 
vanced  communications  system.13 

The  space-related  treaties  (space  law) 
appropriate  to  consider  in  this  context  are 
the  Outer  Space  Treaty,  the  Moon  Treaty, 
and  the  Liability  Convention.  The  United 
States  has  agreed  to  each  of  these  treaties. 
Each  shares  a  common  underlying  principle, 
although  not  always  clearly  articulated:  The 
use  of  space  will  be  limited  to  peaceful  pur 
poses.14  This  was  recognized  by  the  United 
States  in  the  amended  National  Air  and 
Space  Act  (NASA)  of  1958 5  and  42  US 
Code  (USC)  2451,  wherein  “the  Congress 
hereby  declares  that  it  is  the  policy  of  the 
United  States  that  activities  in  space  should 
be  devoted  to  peaceful  purposes  for  the 


benefit  of  mankind.”16 This  clearly  diminishes 
the  potential  for  unrestrained  use  of  space 
for  hostile  purposes. 

The  Outer  Space  Treaty  indicates  that 
parties  agree  “not  to  place  in  orbit  around 
the  earth  any  objects  carrying  nuclear 
weapons  or  any  other  kinds  of  weapons  of 
mass  destruction"  (emphasis  added).17  The 
italicized  text  of  this  passage  indicates  the 
ambiguity  of  the  treaty. 

What  is  a  “weapon  of  mass  destruction”? 
This  generally  refers  to  nuclear,  biological, 
or  chemical  weapons.  When  this  treaty  was 
penned  in  1967,  the  escalating  computer 
power  and  cyberwarfare  capabilities  were 
probably  not  foreseen  by  the  drafters.  Some 
have  interpreted  this  treaty  to  mean  that  it 
does  not  include  communications  equip 
ment  that  could  transfer  data  between  two  or 
more  terrestrial  points  and  is  thus  excluded 
by  a  “strict”  reading  of  the  treaty.18  This  inter¬ 
pretation,  while  legally  accurate,  necessarily 
avoids  the  practical  consideration  of  the  dev 
astation  that  could  be  caused,  by  corruption 
or  manipulation  of  information,  upon  mem 
bers  of  the  victim  nation.  How  can  one  claim 
that  shutting  down  utility  grids,  transporta 
tion  systems,  and  banking  systems  is  not 
“mass  destruction”?  Under  the  conventional 
use  of  the  phrase,  as  discussed  above,  it 
simply  does  not  qualify  from  a  legal  stand¬ 
point.  Should  it?  It  seems  that  if  the  satellite 
carries  communications  equipment  that  is 
an  integral  part  of  a  larger  system  that  actu¬ 
ally  causes  or  precipitates  “mass  destruc¬ 
tion”  upon  the  enemy,  then  the  satellite  is  in 
deed  carrying  a  vital  component  of  the 
weapon  system  as  a  whole. 

This  begs  for  a  definition  of  a  “weapon 
system.”  In  this  regard,  the  US  Marine  Corps 
seems  to  be  forward-thinking.  They  look  not 
to  the  physical  aspect  of  an  item,  but  its  in 
tended  use.19  Thus,  if  satellite  communica¬ 
tions  equipment  were  intended  to  be  used 
for  purposes  of  offensive  or  “attack-mode” 
warfare,  it  would  require  the  same  review  as 
any  other  weapon  system  prior  to  its  acqui 
sition.  For  all  practical  purposes,  this  ap 
proach  seems  to  unilaterally  place  commu¬ 
nications  equipment  meant  for  IW  clearly 


IW  CYBERLAW  89 


within  the  treaty  definition.  This  is  not,  how 
ever,  a  settled  issue. 

What  does  the  Outer  Space  Treaty  mean 
when  it  prohibits  satellites  that  “carry”  the 
weapon?  Some  would  argue  that  satellites 
would  not  actually  be  weapons,  since  they 
simply  transfer  information.  As  mere  relays 
for  the  information  warfare  “weapon,”  the 
communications  relay  would  not,  in  and  of  it 
self,  be  a  weapon  subject  to  the  treaty?0 
Again,  this  technical  view  does  not  consider 
the  essential  relay  system  as  part  of  the 
whole  weapon.  A  personal  computer  in  iso 
lation  is  not  capable  of  an  attack  upon  an 
other  nation’s  infrastructure;  but  when  com 
bined  with  telecommunications  satellites 
capable  of  expanding  the  computer’s  influ 
ence  to  a  nation  in  a  distant  area  of  the 
globe,  has  not  the  communications  equip 
ment  aboard  the  satellite  become  part  of  the 
information  “weapon”?  This  may  be  merely  a 
semantic  or  philosophical  argument,  but  it  if 
lustrates  the  ambiguity  of  the  treaty. 

The  Outer  Space  Treaty  isn’t  the  only 
player  on  the  field.  The  Agreement  Govern 
ing  the  Activities  of  States  on  the  Moon  and 
Other  Celestial  Bodies  (the  Moon  Treaty) 
was  created  in  1979.  It  clearly  prohibits  the 
use  of  the  moon  as  a  military  asset.  Devet 
opment  and  exploration  of  the  moon  must 
be  conducted  in  a  peaceful  manner.  The 
treaty  attempts  to  assure  that  the  use  and 
exploration  of  the  moon  will  not  become  an 
area  that  creates  international  discord. 
Moon-based  communications  equipment  for 
information  warfare  purposes  would  seem  to 
be  simply  prohibited.  However,  the  United 
States  has  never  ratified  or  signed  this 
treaty.  Although  the  United  States  is  not 
bound  as  a  signatory  nation,  these  provt 
sions  should  be  considered  before  any  such 
moon-based  system  is  contemplated,  if  for 
no  other  reason  than  for  political  harmony 
and  consistency  in  our  foreign  policy. 

At  first  blush,  the  Convention  on  Interna 
tional  Liability  for  Damage  Caused  by  Space 
Objects  (October  1973)  appears  to  relate  to 
cyberspace.  This  treaty,  commonly  referred 
to  as  the  “Liability  Treaty,”  requires  a  launch 
ing  state  to  pay  for  any  damages  caused  by 


one  of  its  space  objects  if  the  object  causes 
damage  to  the  surface  of  the  earth  or  to  an 
aircraft  in  flight.21  It  also  discusses  space  ob¬ 
jects  “launched”  by  a  state,  implying  the  in¬ 
tent  to  apply  it  to  satellites,  rockets,  and 
other  tangible  space  vehicles.22  The  treaty  is 
vague  enough  that  a  “victim”  state  may 
claim  that  terrestrial  information  damage  is 
fairly  embraced  by  the  language  of  the  treaty 
itself  if  they  are  attacked  or  threatened. 
Since  the  concepts  and  capabilities  involved 
in  IW  are  such  recent  developments,  an  ar 
gument  to  impose  liability  under  this 
decades-old  treaty  may  be  extremely  weak. 

Although  these  treaties  exist  and  may 
have  some  impact  upon  information  warfare, 
they  provide  little,  if  any,  meaningful  guid 
ance.  Recognition  of  these  space-law  con¬ 
siderations  is  vital,  however,  as  they  must  be 
considered  much  as  an  infantryman  would 
consider  the  location  of  mines  while  crossing 
a  field;  they  are  not  necessarily  roadblocks 
to  our  progress  but  have  the  potential  to 
cause  explosive  and  disastrous  international 
legal  problems  if  we  run  afoul  of  their  provi¬ 
sions.  Outer  space  and  cyberspace  may 
seem  conceptually  similar,  but  the  legal 
mechanisms  that  we  rely  upon  to  resolve 
legal  issues  in  outer  space  were  created  to 
resolve  issues  that  simply  do  not  exist  in  cy 
berspace.  Space  law  was  created  to  resolve 
issues  that  revolve  around  spacecraft  or  the 
use  of  celestial  bodies.  Simply  put,  space 
law  will  not  help  us  resolve  any  of  the  issues 
we  currently  face  in  negotiating  the  legal 
landscape  of  cyberspace. 

Does  Telecommunications 
Law  Apply? 

The  treaties  known  as  International 
Telecommunications  Satellite  Organization 
Agreement  (INTELSAT)  and  the  Convention 
on  the  International  Maritime  Satellite  Orga 
nization  (INMARSAT)  comprise  the  body  of 
international  telecommunications  law  that 
currently  exists  and  is  applicable  to  informa 
tion  warfare. 
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The  INTELSAT  (1973)  broadly  defines 
“telecommunications.®  The  treaty’s  intent  is 
to  ensure  that  a  satellite  will  only  be  used  for 


Despite  the  impression  that  one 
might  gamer  from  the  popular 
media,  there  actually  is  a  substan¬ 
tial  body  of  statutory  law  that  ap  - 
plies  directly  to  computer  crime  and 

hackers. 


peaceful  purposes.  This  broad  prohibition  in 
eludes  virtually  every  aspect  of  information 
warfare  data  traffic.  Fortunately,  it  also 
specifically  articulates  a  position  on  satellite 
systems  that  have  a  military  purpose.  “This 
agreement  shall  not  apply  to  the  establish 
ment,  acquisition,  or  utilization  of  space  seg 
ment  facilities  separate  from  the  INTELSAT 
space  segment  facilities  solely  for  national 
security  purposes.’24 

The  International  Telecommunications 
Convention  of  Malaga-Torremolinos  (25  Oe 
tober  1973),  Article  35,  states  that  “all  sta 
tions,  whatever  their  purpose,  must  be  es 
tablished  and  operated  in  such  a  manner  as 
not  to  cause  harmful  interference  to  the 
radio  services  or  communications  of  other 
Members.”  Thus,  the  treaty  seems  to  pro 
hibit  the  use  of  a  satellite  station  to  disrupt  or 
somehow  interfere  with  the  communications 
of  other  states.  Paradoxically,  the  same 
treaty  states,  in  Article  38,  that  “Members  re 
tain  their  entire  freedom  with  regard  to  milt 
tary  radio  stations  of  their  army,  naval,  and 
air  forces.”  Thus,  the  treaty  recognizes  that 
there  may,  indeed,  be  a  military  use  of  a 
satellite  system  that  would  not  otherwise 
comply  with  the  earlier  provisions  of  Article 
35.  However,  since  95  percent  of  our  military 
administrative  traffic  passes  through  civilian 
communications  systems,25  one  must  ask  if 
this  is  a  “military”  system  for  purposes  of  Ar 
tide  38  or  if  it  is  a  “civilian”  system  that  is 
protected  under  Article  35. 

Why  is  the  “civilian  versus  military”  dis 
tinction  relevant?  When  INTELSAT  is  read  in 
conjunction  with  the  International  Telecom 


munications  Convention  of  Malaga-Torre¬ 
molinos,  it  is  clear  that  the  military  may  not 
use  civilian  telecommunications  satellites  to 
assert  military  power,  but  may  use  a  “mili¬ 
tary”  satellite  system  for  such  purposes.  Mif 
itary  telecommunications  satellites,  ex¬ 
pressly  excepted  from  the  International 
Telecommunications  Treaty  of  Malaga-Tor 
remolinos,  may  be  able  to  disrupt  or  inter 
fere  with  the  communications  systems  of 
other  nations  in  the  interest  of  national  secu 
rity,  with  the  limits  discussed  earlier.  The 
character  of  the  communications  satellites  is 
thus  critically  important. 

The  INMARSAT  (1976),  Article  3(1),  limits 
the  use  of  the  INMARSAT  space  segment  to 
the  improvement  and  facilitation  of  maritime 
communications.  The  treaty  restricts  the  use 
of  satellites  owned  or  leased  by  INMARSAT 
to  “peaceful  purposes”  only.  Presumably  this 
would  prohibit  the  use  of  INMARSAT  space 
segments  for  military  purposes?6  The  intent 
of  the  INMARSAT  is  to  prohibit  the  use  of  the 
satellite  systems  for  military  purposes  other 
than  navigation  and  routine  communications 
similar  to  those  in  which  a  civilian  maritime 
vessel  would  normally  engage?7  Generally, 
the  quintessential  interest  in  telecommuni¬ 
cations  seems  to  be  the  preservation  of  the 
tradition  of  noninterference?8 

How  Does  Criminal  Law 
Apply? 

With  the  World  Wide  Web  expanding  at 
its  current  rate,  the  opportunities  for  those 
with  ill  intent  abound.  Most  systems  on  our 
Internet  are  privately  owned  and  are  shock 
ingly  vulnerable  to  a  cyberattack  by  a  tech¬ 
nically  oriented  person  with  criminal  intent. 
Criminal  law  is  an  important  and  relevant 
area  to  consider  when  evaluating  precisely 
what  we  can  legitimately  do.  The  law  is  spe 
cific  and  incorporates  many  fundamental 
constitutional  considerations  such  as  the 
user’s  right  to  privacy  and  the  protection  of 
the  individual  from  unreasonable  searches 
and  seizures. 
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“Any  analysis  regarding  information  defenses  or  back  hacking  must  be  viewed  from  a  criminal  law  perspective — at 
least  until  the  source  of  the  intrusion  can  be  identified. . . .  Once  we  have  determined  the  identity  of  the  unauthorized 
intruder  or  the  origin  of  the  intrusion,  we  can  better  determine  who  must  respond,  and  how.  ’’ 


Despite  the  impression  that  one  might 
garner  from  the  popular  media,  there  actu 
ally  is  a  substantial  body  of  statutory  law  that 
applies  directly  to  computer  crime  and  hack 
ers.29  Computer  crimes  are  federal  of¬ 
fenses.30  Government  computers  and  com 
puters  that  are  merely  used  by  or  for  the 
government  are  protected,31  as  are  comput¬ 
ers  used  “in  interstate  commerce  or  commu 
nications.”32  Obviously,  any  computer  that 
accesses  the  Internet  will  likely  fall  squarely 
within  this  statute.  One  who  knowingly 
causes  the  “transmission  of  a  program,  in 
formation,  code,  or  command  and  as  a  re¬ 
sult  of  such  conduct,  intentionally  causes 
damage  without  authorization,  to  a  protected 
computer”  in  interstate  commerce  has  com 
mitted  a  federal  crime  as  well  (emphasis 
added).33 


The  Access  Device  Fraud  Act  protects 
computer  passwords,  the  use  of  access  de 
vices  is  prohibited,  and  use  of  access  de- 
vice-making  equipment  is  similarly  out 
lawed.34  Title  18  also  provides  some 
password  protection  to  stolen  and  fraudu¬ 
lently  obtained  passwords  which  could  then 
be  used  to  access  computers  by  unautho 
rized  individuals  to  wrongfully  obtain  things 
of  value.35 

Unauthorized  interception  (or  intentional 
disclosure  of  the  contents  of  unauthorized 
interception)  of  wire,  oral,  or  electronic  com 
munications  is  prohibited  by  federal  law?6 
There  are  several  exceptions,  the  most  no 
table  of  which  is  that  so  long  as  one  of  the 
parties  in  the  conversation  has  consented, 
the  interception  is  permitted?7  The  statutory 
framework  also  provides  for  civil  liability  for 
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unauthorized  interception  of  communica 
tions.38 

Unauthorized  access  to  stored  communl 
cations  is  also  prohibited,  and  creates  civil  U 
ability  on  the  part  of  the  one  who  unlawfully 
obtained  such  access.39  Federal  law  also 
proscribes  intentional  unauthorized  access 
to  “a  facility  through  which  an  electronic 
communications  service  is  provided”  if  the 
person  achieving  such  access  “obtains,  at 
ters,  or  prevents  authorized  access”  to  com 
munications  while  the  data  is  in  storage?0 

Federal  statutes  exist  to  protect  federal 
records,  property,  or  public  money?1  Thus, 
bank  and  credit  records  are  protected?2  as 
are  electronic  fund  transfers  involving  inter 
state  commerce  or  foreign  commerce?3  Mail 
fraud  is  proscribed.44  So  is  using  a  remote 
terminal  or  computer  to  further  a  fraud 
where  messages  cross  state  lines® 

Since  making  false  or  fraudulent  state 
ments  to  a  government  department  or 
agency  is  prohibited,46  a  hacker  who  inten¬ 
tionally  and  falsely  represents  himself  elee 
tronically  to  be  an  authorized  user  in  a  gov 
ernment  computer  system  may  violate 
federal  law. 

Of  particular  interest  to  the  Internet  com 
munity  is  the  Privacy  Protection  Act  of 
198  0.47  This  statute  provides  protection  to 
electronic  bulletin  board  systems  (BBS)  op 
erators.  BBSs  may  still  be  searched,  how 
ever,  if  the  government  meets  a  specified 
criteria  and  obtains  the  proper  authoriza 
tion.48 

E-mail  interception  is  governed  by  exist 
ing  telecommunications  law.  Intercepting  the 
communications  and  accessing  the  commu 
nications  are  possible  if  they  meet  the  crite 
ria  of  the  law’s  exceptions,  with  proper 
search  authority,  or  with  a  court  order® 

Why  are  all  of  these  criminal  laws  impor 
tant  to  help  us  determine  what  the  military 
can  legitimately  do?  Until  the  identity  of  the 
hacker  is  known,  we  must  obey  the  criminal 
laws.  These  laws  apply  to  us  as  well  as  to 
the  hacker.  Once  the  hacker  is  identified, 
however,  different  approaches  may  be  ap 
propriate  (more  on  this  later). 


Search  and  seizure  laws  vary  radically 
from  country  to  country,  and  the  biggest 
problem  law  enforcement  authorities  face  is 
the  chaos  that  seems  to  arise  when  the 
hacker  is  located  in,  or  electronically  travels 
through,  a  foreign  country.  For  example, 
while  we  recognize  an  exception  to  our 
Fourth  Amendment  warrant  requirement  if 
there  is  exigency  or  “hot  pursuit”  to  appre¬ 
hend  a  criminal,50  not  all  governments  would 
recognize,  or  even  care,  about  a  US  consti¬ 
tutional  amendment  exception  when  the 
United  States  seeks  to  intrude  into  their  sys 
terns  without  preexisting  authority.  Imagine  a 
hypothetical  hacker,  located  in  New  York, 
who  hacked  through  a  commercial  computer 
system  into  a  computer  in  France,  then  on  to 
a  government  computer  in  Taiwan,  then 
through  a  Chinese  military  installation,  back 
to  South  Korea,  on  to  an  installation  in  North 
Korea,  then  to  the  Japanese  Defense  Force 
computer  system  on  Okinawa,  and  finally, 
back  to  the  United  States,  where  the  hacker 
unlawfully  enters  a  NASA  computer.  Con¬ 
sider  the  international  uproar  if  North  Korea 
and  China  perceived  the  United  States  gov 
ernment’s  pursuit  of  the  hacker  to  be  an  in¬ 
trusion  upon  their  military  information  sys 
terns.  Suppose  they  view  the  initial  hacker 
as  a  user  and  the  person  “back  hacking” 
through  their  system  as  the  hacker.  The  po 
litical  ramifications  are  magnified  consider 
ably  if  they  then  determine  that  the  hacker 
turns  out  to  be  a  US  government  or  law  en¬ 
forcement  agent!  This  is  an  area  where  pol¬ 
itics  is  clearly  a  paramount  concern  and  may 
be  at  odds  with  obvious  national  security 
concerns. 

In  the  cases  of  Rome  Labs  and  the  Ar 
gentine  Intrusion,  the  hackers  electronically 
traveled  through  foreign  nations  before 
reaching  their  intended  targets.  In  each 
case,  the  primary  problem  in  rapidly  identify 
ing  the  intruder  was  obtaining  the  coopera 
tion  of  the  international  police  agencies  and 
governments  involved.51 

The  Council  of  Europe  recently  convened 
to  address  this  issue.  It  was  clear  that  the 
various  nations  need  to  work  together  to¬ 
ward  standardized  uniform  criminal  proce 
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dures.  After  evaluation  of  the  problems  in 
volved,  the  council  recommended  that  “the 
power  to  extend  a  search  to  other  computer 
systems  should  also  be  applicable  when  the 
system  is  located  in  a  foreign  jurisdiction, 
provided  that  immediate  action  is  required. 
In  order  to  avoid  possible  violations  of  state 
sovereignty  or  international  law,  an  unam 
biguous  legal  basis  for  such  extended 
search  and  seizure  should  be  established.62 

Investigation  of  federal  computer  crimes 
in  the  United  States  is  generally  within  the 
purview  of  the  Federal  Bureau  of  Investiga 
tion  (FBI).  If  a  foreign  source  of  an  electronic 
intrusion  is  identified,  the  Central  Intellt 
gence  Agency  (CIA)  would  become  in¬ 
volved.  The  Secret  Service  is  the  office  of 
primary  responsibility  when  the  intrusion  has 
financial  implications.  While  the  Defense  In 
formation  Systems  Agency  (DISA)  handles 
security  breaches  in  military  computer  sys 
terns,  the  Air  Force’s  Office  of  Special  In 
vestigations  (AFOSI)  is  deemed  a  leader  in 
developing  investigation  strategies  and  is 
generally  given  a  great  deal  of  freedom  in  in 
vestigating  incidents  involving  Air  Force 
computers. 

It  seems  that  there  will  be  some  interna 
tional  effort  to  resolve  the  incompatibility  of 
criminal  law  at  some  point  in  the  near  future. 
Until  such  time,  the  best  way  for  law  en 
forcement  to  track  hackers  through  diverse 
jurisdictions  is  through  close  coordination 
with  investigators  in  the  host  countries  and 
in  strict  compliance  with  their  laws.  This  ap 
proach  is  not  particularly  rapid  or  efficient, 
but  it  respects  the  all-important  concept  of 
national  sovereignty  and  causes  no  adverse 
international  political  ramifications. 

The  Law  of  Armed  Conflict 

Much  of  our  international  law  is  merely  a 
recognition  of  the  “customary  laws”  of  na 
tions.  Some  of  these  have  been  codified  and 
have  become  treaties,  while  yet  others  re 
main  as  mere  manifestations  of  accepted 
traditional  international  practice.®  The  rules 
governing  the  conduct  of  nations  and  com 


batants  during  hostilities  are  known  collee 
tively  as  the  Law  of  Armed  Conflict.  The 
LOAC  is  simply  that  part  of  international  law 
that  represents  an  attempt  to  regulate  con¬ 
duct  during  armed  hostilities  in  a  manner 
that  is  practical  (so  that  it  will  not  impede  the 
waging  of  war)  but  to  nonetheless  minimize 
its  savagery.  Whether  war  is  waged  on  the 
muddy  fields  of  Verdun  by  shell-shocked  in 
fantry  troops  or  a  high-tech  cyberspace  bat 
tlefield,  the  rules  and  general  principles  of 
the  LOAC  remain  applicable. 

The  primary  conventions  that  codified  the 
concepts  of  war-fighting  principles  are  found 
in  the  various  Flague  and  Geneva  Conven 
tions.54  Basically,  the  Flague  Conventions 
can  be  thought  of  as  “offensive”  in  nature, 
while  the  Geneva  Conventions  deal  with  the 
treatment  of  the  sick,  wounded,  and  prison¬ 
ers  of  war;  these  may  be  collectively  consid 
ered  mere  “defensive”  provisions.  These 
conventions  are  now  the  nucleus  of  the 
LOAC.55 

Their  primary  objective  is  to  ensure  that 
hostilities  are  directed  to  defeat  enemy 
forces,  not  to  injure  innocent  civilians  or 
other  noncombatants.  The  LOAC  is  an  at 
tempt  to  protect  everyone,  combatant  or 
noncombatant,  from  unnecessary  suffering, 
savagery,  and  brutality  that  accompanies 
armed  conflict.  It  is  a  method  to  facilitate  the 
restoration  of  peace  following  the  conclusion 
of  armed  hostilities. 

Typically,  the  main  principles  of  the  LOAC 
are  military  necessity,  humanity,  proportion 
ality,  and  chivalry.  These  fundamental  princi¬ 
ples  are  used  as  a  guide  in  interpreting  the 
LOAC  and  in  reaching  an  appropriate  con 
elusion  when  particular  circumstances  do 
not  specifically  fit  within  the  parameters  of 
existing  rules.56 

The  LOAC  provides  combatants  with  cer 
tain  rights  and  privileges  if  wounded  or  cap 
tured  in  wartime,  and  it  proscribes  certain  of 
tensive  activities.  The  Prisoner  of  War 
Convention  identifies  the  “protected  per 
sons”  under  the  LOAC.57  Generally,  civilians 
accompanying  an  armed  force  do  not  en 
gage  in  acts  of  war — media  representatives, 
contractors,  civilian  services  personnel,  and 
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so  forth — are  all  deemed  “Auxiliary  Ser 
vices”  and  are  entitled  to  prisoner-of-war 
(POW)  status  if  captured.  If  one  of  these  in 
dividuals  were  to  engage  in  a  hostile  act, 
that  individual  would  be  deemed  an  “Unlaw 
ful  Combatant”  and  could  be  punished  under 
the  laws  of  the  captor.58  Spies  do  not  receive 
any  special  treatment  under  the  LOAC  and 
are  punished  under  the  laws  of  the  captor 
nation.59 

The  conventions  and  traditions  seem 
clear  and  easy  to  understand,  but  when  ap 
plied  to  information  warfare,  they  become 
difficult  to  administer.  To  date,  the  rules  and 
laws  have  been  concerned  with  sovereign 
borders  and  physical  invasion  of  those  bor 
ders  by  armed  belligerents.  In  cyberspace 
there  are  no  borders.  The  landscape  is  an 
unbroken  terrain  of  network  connections  be 
tween  military  and  civilian  computer  systems 
that  interact  rapidly  without  regard  to  the  ar 
tificial  lines  on  a  map  that  designate  interna 
tional  borders.  The  threat  comes  from  com 
puter  technicians  who  may  be  able  to 
disable  banking  systems,  electrical  grids, 
airline  traffic  control  systems,  and  communf 
cations  equipment.  At  what  point  are  these 
actions  serious  enough  for  a  victim  nation  to 
respond  with  force?  What  is  an  act  of  war  in 
cyberspace?  Is  a  personal  computer  or 
Unix-based  system  a  “weapon”?  Is  hacking 
through  the  communications  systems  of  a 
hostile  nation  an  “attack”? 

Air  Force  Policy  Directive  (AFPD)  51-4, 
Compliance  with  the  Law  of  Armed  Conflict , 
par.  2,  requires  Air  Force  personnel  to  com 
ply  with  the  rules  “during  armed  conflict.” 
The  AFPD  defines  armed  conflict 60  as  a  sit¬ 
uation  where  at  least  one  state  has  begun  to 
use  armed  force.  However,  there  is  no  guid 
ance  on  what  legally  constitutes  “armed 
force.”  Logically,  to  use  armed  force,  one 
must  utilize  an  arm  or  weapon  of  some  type. 

Air  Force  Instruction  (AFI)  51-402, 
Weapons  Review,  May  1 994,  suggests  com¬ 
puter  systems  would  probably  not  be  con 
sidered  weapons.  “Weapons  are  devices 
designed  to  kill,  injure,  or  disable  people,  or 
to  damage  or  destroy  property.  Weapons  do 
not  include  .  .  .  electronic  warfare  devices.01 


Even  though  the  computer  itself  would  not 
be  thus  deemed  a  “weapon,”  it  could,  in 
deed,  do  substantial  damage  to  an  enemy’s 
war-fighting  capability.62 

None  of  these  issues  have  yet  been  re 
solved.  It  is  not  surprising  that  the  LOAC  is 
not  up  to  date  in  regard  to  IW.  During  World 
War  I,  no  provisions  existed  for  aerial  war 
fare;  principles  had  to  be  developed  from  the 
existing  rules  that  governed  ground  warfare 
and  naval  bombardment.  Only  after  seeing 
the  results  of  applying  land  warfare  rules  to 
bombing  did  the  thought  arise  to  develop  a 
code  specifically  designed  to  address  air 
warfare.63  The  LOAC  is  dynamic  and  evolves 
along  with  new  technology  and  the  war-fight 
ing  capabilities  of  various  nations. 

Even  though  damage  may  be  done  to  a 
nation’s  capabilities,  there  is  no  authority  to 
suggest  that  a  computer  is  a  weapon  or  that 
an  information  operation  act  is  an  “act  of 
war.”  Of  course,  if  a  hostile  nation  defines 
the  act  of  war  based  on  damage  caused  or 
damage  potential  instead  of  the  character  of 
the  item  used  to  commit  the  act,  the  analysis 
would  be  quite  different.  Although  this  view 
may  not  favor  the  nation  with  the  technolog 
ical  edge,  it  is  the  most  logical  conclusion.  If 
death  and  destruction  resulted  from  the  IW 
operation,  an  armed  response  by  the  victim 
nation  would  probably  be  warranted.  If  we 
were  to  cause  a  power  grid  shutdown  in  a 
foreign  country,  it  could  foreseeably  lead  to 
civilian  riots;  hospitals  could  have  unfore 
seen  casualties  from  failing  life-support  or 
otherwise  relying  upon  the  power  grid  for 
public  health  purposes;  mass  transit  in  major 
cities  could  be  disrupted  bringing  a  con¬ 
comitant  economic  disaster  when  workers 
cannot  get  to  their  place  of  employment;  and 
the  financial  system  could  be  disabled.  The 
potential  adverse  repercussions  could  be  re 
markably  dramatic.  It  would  be  difficult,  in¬ 
deed,  to  convince  the  victim  nation  that  this 
intentional  vulnerability  exploitation  by  an 
unfriendly  nation  was  not  an  act  of  war.  If 
even  minor  disruptions  can  cause  violent 
outbursts  and  disarray,64  imagine  the  reper¬ 
cussions  of  intentional  and  strategic  manip 
ulation  of  a  country’s  infrastructure  systems. 
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Military  retaliation  by  the  victim  country 
should  be  an  expected  consequence  of  such 
an  electronic  attack. 

Defensive  Application  of  the 
LOAC  to  Information  Warfare 

Defensively,  there  does  not  seem  to  be 
any  issue  of  great  legal  significance.  A  na 
tion  may  protect  its  information  or  systems  in 
any  way  it  chooses  so  long  as  it  does  not 
negatively  impact  another  nation  or  another 
nation’s  communications  systems.  Issues 
such  as  encryption  and  various  other  as 
pects  of  cryptology  are  currently  raising  a 
great  deal  of  interest,  but  at  this  point,  the  is 
sues  raised  seem  to  be  those  of  policy  and 
strategy,  not  of  law.  Offensively,  the  charae 
ter  of  the  problem  is  quite  different. 

Offensive  Application  of  the 
LOAC  to  Information  Warfare 

What  are  some  of  the  offensive  possibilt 
ties?  Could  we  attach  a  “logic  bomb”  to  DOD 
information,  so  that  a  hacker  who  obtains 
the  information  also  obtains  the  “bomb”  that 
destroys  his  computer  system?  Could  we 
engage  in  “active  defense”  where  we  inten 
tionally  send  destructive  code  to  his  ma 
chine  upon  realization  and  confirmation  of 
the  unauthorized  penetration  of  the  DOD 
system?  Could  we  send  him  a  “worm”  to  in 
feet  and/or  disable  his  system? 

We  can  do  none  of  these  things.  Without 
identifying  the  infiltrator,  we  cannot  even  de 
termine  whether  it  is  a  national  security 
issue.  The  new  amendment  to  the  Computer 
Fraud  and  Abuse  Act  of  18  USC  1030  (a)(5) 
prohibits  the  intentional  destruction  of  data 
in  computers  without  regard  to  whether  the 
person  “attacked”  was  initially  authorized  ae 
cess  or  not.  Such  activity  is  a  federal  felony. 
Additionally,  if  the  attacker  wove  his  way 
through  several  different  systems  before  “at 
tacking”  the  DOD  computer,  and  in  re 
sponse,  we  sent  a  destructive  code  to  him, 
there  is  a  possibility  that  every  system  along 


the  way  would  also  be  damaged  or  cor 
rupted.  This  could  be  disastrous  if  he  were 
using  a  government  computer  or  accessing 
the  information  through  yet  another  govern- 


There  is  seldom  a  clear  point  at 
which  we  can  identify  the  mythical 
act  of  war. 


ment  computer.  But  what  if  the  hacker  were 
a  teenager  using  a  civilian  parent’s  com 
puter  where  his  parent  ran  a  business  out  of 
the  home,  such  as  a  dentist,  accountant, 
lawyer,  or  other  professional?  Taking  down 
the  computer  system  with  client  records 
stored  therein  could  have  unintended  conse 
quences,  potentially  very  costly  ones.  How 
could  fast  responses  ensure  that  collateral 
damage  is  minimized  or  at  least  considered? 
There  seems  to  be  no  effective  way  to  un¬ 
dertake  “active”  defenses  that  would  be  ae 
ceptable,  either  legally,  conceptually,  or 
practically.  The  preferable  approach  may  be 
to  use  additional  (self-altering)  passwords 
and  advanced  encryption  or  even  several 
layers  of  encryption  if  necessary.65 

Discussion  of  an  act  of  war  seems  to  be 
in  vogue  right  now  in  information  warfare  cir 
cles.  Even  casual  rumination  on  this  point 
would  lead  to  the  conclusion  that  it  is  “a  sin 
gularly  imprecise  and  unhelpful  concept” 
that  became  passe  a  half-century  ago?6 
Conflict  is  a  process  of  escalation.  If  a  coun 
try  engages  in  an  unfriendly  conduct  of 
some  type,  then  the  adversely  affected  na 
tion  would  likely  respond  “offensively.”  This 
is  not  a  progression  of  distinct  stages  but 
rather  an  unbroken  continuum  where  un 
friendly  acts  become  increasingly  hostile. 
There  is  seldom  a  clear  point  at  which  we 
can  identify  the  mythical  act  of  war.  Interna 
tional  concerns  from  both  a  political  and 
legal  perspective  must  always  be  consid¬ 
ered  any  time  a  nation  seeks  to  engage  in 
unfriendly  activity  where  another  nation  may 
suffer.  Unfriendly  acts  have  been  used  for 
hundreds  of  years  to  encourage  a  nation  to 
comply  with  a  particular  demand  of  another 
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country.  A  naval  blockade  is  an  age-old  ex 
ample  of  an  “unfriendly  act”  intended  to  d+ 
rect  or  control  another  nation’s  actions.  Eco 


I  submit  that  even  in  peacetime, 
however,  the  principles  behind  the 
LOAC  remain  applicable  at  all 

times. 


nomic  embargoes  and  blockades  are  also 
unfriendly  acts  with  concomitant  adverse  in 
ternational  impact.  Both  have  been  histort 
cally  viewed  as  unfriendly  acts,  but  not  nee 
essarily  acts  of  war. 

Is  there  an  electronic  parallel  between  an 
economic  embargo  and  an  information  em 
bargo?  Information  isolation  is  an  analogous 
counterpart  to  the  naval  blockade  of  yester 
year.  These  activities  occur  outside  of  the 
nation’s  borders,  whether  the  blockade  is  a 
physical  one  or  an  electronic  one.  A  block 
ade  is  not  an  act  of  infiltration,  as  an  attack 
would  be.  An  electronic  blockade  would  ere 
ate  a  similar  isolation,  only  it  would  apply  to 
the  nation’s  electronic  networks.  In  such  a 
scenario,  an  electronic  embargo  or  blockade 
would  (and  should)  be  subject  to  precisely 
the  same  political  and  policy  considerations 
as  its  eighteenth  century  counterparts?7 The 
low-level  unfriendly  activity  of  these  types  is 
nothing  new;  only  the  medium  has  changed 
in  size,  scope,  and  complexity  from  physical 
coordinates  to  cyberspace. 

Offensive  information  warfare  using  com 
puter  technology  should  be  viewed  as  an  es 
calation  of  hostilities  instead  of  an  act  of  war. 
This  commonsense  approach  would  better 
reflect  the  reality  of  politics  in  international 
relations.  Escalation  of  hostilities  may  reach 
the  point  where  actual  physical  damage  is 
caused  by  a  belligerent  nation’s  armed  milt 
tary  force;  the  rules  of  the  LOAC  are  then 
clearly  and  unequivocally  applicable.  An  ex 
ample  of  this  is  the  1 986  bombing  of  a  disco 
in  Germany  by  state-sponsored  terrorists 
from  Libya.  Our  response  was  to  bomb  sev 
eral  military  sites  in  Libya  including  the 
Tripoli  Airport,  the  Aziziya  barracks,  a  naval 
base  and  airfield,  and  the  port  of  Benghazi® 


This  response  by  the  United  States  was  well 
within  the  parameters  of  acceptable  behav 
ior  of  a  nation  under  the  LOAC. 

If  the  offensive  use  of  computers  to  dis 
rupt,  corrupt,  interfere  with,  or  deny  enemy 
computer  and  information  system  utilization 
does  not  equate  to  an  armed  conflict,  then 
the  LOAC  would  (arguably)  not  apply  to  the 
offensive-mode  computer  intervention  in  an 
other  nation’s  systems.69  This,  it  seems,  is  a 
troublesome  interpretation  of  the  applicable 
ity  of  the  LOAC  to  cyberwarfare.  It  would 
leave  the  door  wide  open  for  offensive  use 
of  computers  with  no  checks  or  balances 
upon  such  use.  It  suggests  that  the  princi¬ 
ples,  discussed  above,  would  not  apply  in 
the  absence  of  armed  conflict. 

It  would  seem  that  many  electronic  activi¬ 
ties  have  clear  parallels  to  traditional  “physi¬ 
cal”  actions  that  a  nation  may  take.  If  one 
were  simply  to  equate  the  electronic  action 
to  a  physical  act  according  to  the  damage 
done,  the  analysis  is  much  less  problematic. 
In  these  cases,  traditional  LOAC  analysis 
applies.70  I  submit  that  even  in  peacetime, 
however,  the  principles  behind  the  LOAC  re 
main  applicable  at  all  times. 

The  Law  of  Armed  Conflict  obviously  ap 
plies  to  “armed”  conflict.  Traditionally,  this 
has  implied  a  physical  invasion  or  confronta 
tion.  It  seems  readily  apparent  from  a  con 
ceptual  viewpoint  that  computer  warfare 
should  be  governed  by  the  traditional  laws  of 
armed  conflict,  but  the  terminology  used  in 
our  conventions  does  not  clearly  apply.  To 
casually  dismiss  the  applicability  of  the 
LOAC  simply  because  the  LOAC  does  not 
apply  under  a  strict,  literal  reading  of  the 
conventions  would  be  a  simplistic  approach 
by  a  nation  that  would  be  inclined  to  exploit 
this  loophole.  The  danger  is  that  such  a 
loose  (and  arguably  inappropriate)  reading 
of  the  laws  is  that  it  works  both  ways.  The 
nation  that  seeks  to  exploit  a  vulnerability  of 
another  nation  then  later  claims  that  the 
LOAC  does  not  apply  should  beware  that  it 
may  be  the  victim  of  a  cyberattack  by  a  sim 
ilarly  disposed  nation.  Under  such  circum 
stances,  the  hapless  victim  of  the  attack 
would  likely  change  its  definition  rapidly  and 
claim  a  contrary  interpretation  of  the  LOAC. 
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It  is  critical  that  these  issues  be  resolved  as 
soon  as  possible  to  prohibit  or  inhibit  the 
gamesmanship  that  these  ambiguities  invite. 

Does  a  nation  forfeit  its  neutrality  if  com 
munications  from  a  belligerent  nation  travels 
through  communications  relays  physically 
located  inside  the  neutral’s  borders?  Infor 
mation  warfare  operations  are  as  likely  to 
travel  through  neutral  countries  as  any  oth 
ers  before  reaching  the  belligerent  target. 
Computer  telecommunications  travel 
through  cyberspace  in  exactly  the  same  way 
as  routine  telephone  traffic.  A  single  tele 
phone  conversation  may  travel  through  sev 
eral  different  links.  Part  of  the  conversation 
may  occur  through  a  set  of  links  that  auto 
matically  shift  to  another  route  without  dis 
rupting  the  connection  while  remaining 
transparent  to  the  user.71  There  is  no  sure 
way  to  know  exactly  what  route  an  informa 
tion  attack  would  travel  over  the  international 
telecommunications  systems  in  getting  to 
the  target  belligerent.  However,  uninten 
tional  intrusions  of  a  belligerent  into  a  neu 
tral  country’s  communications  systems  is 
not  deemed  an  LOAC  violation,  nor  does  the 
neutral  nation  forfeit  its  neutrality.72  Of 
course,  if  a  neutral  nation  were  to  restrict 
one  belligerent  nation  from  using  its  tele 
phone  relay  systems  while  allowing  such 
use  by  another  belligerent  nation,  then  a  dif 
ferent  analysis  would  apply.  If  the  same 
telecommunications  systems  are  open  to  all, 
and  the  use  by  belligerents  is  not  intentional, 
then  there  is  no  threat  to  the  neutral  nation’s 
claim  of  neutrality. 

Jurisdiction  and  Information 
Warfare  Investigations 

During  the  Vietnam  conflict,  the  US  Army 
was  called  upon  to  respond  to  a  variety  of  vf 
olent  outbreaks  of  protesters.  The  Army 
worked  in  conjunction  with  local  law  en¬ 
forcement  and  quickly  found  that  the  intellf 
gence  available  regarding  potential  adver 
saries  was  inadequate.  The  US  Army 
Intelligence  Command  (USAINTC)  devet 
oped  an  “elaborate,  nationwide  system  with 


the  potential  to  monitor  any  and  all  political 
expression.  No  person  was  too  insignificant 
to  monitor;  no  activity  or  incident  too  irrele 
vant  to  record.”73 

Even  though  the  DOD  prohibited  the  col¬ 
lection  of  civilian  surveillance  in  the  1970s 
and  mandated  the  destruction  of  the  records 
that  had  been  compiled  already74  both  the 
House  and  Senate  formed  select  commit 
tees  to  monitor  the  military  surveillance  data 
collection  and  act  as  an  oversight  commit 
tee.75  The  Intelligence  Oversight  Committee 
acts  as  a  check  upon  the  military’s  poten¬ 
tially  invasive  investigation  and  database 
building  capabilities. 

Covert  IW  activity76  is  governed  by  federal 
law.77  The  president  of  the  United  States 
must  submit  a  finding  to  Congress,  in  writ 
ing,  that  details  exactly  why  the  foreign  pol¬ 
icy  activities  of  the  United  States  require  the 
covert  action  and  explaining  why  the  action 
is  important  for  assurance  of  national  secu 
rity.78 

Even  the  CIA  must  obtain  a  Presidential 
Finding  before  conducting  peacetime  covert 
information-gathering  operations.79  DOD  is 
tasked  to  respond  to  CIA  needs  by  the  diree 
tor  of  the  CIA;  DOD  is  the  only  primary 
agency  for  signal  intelligence  activities 
through  the  National  Security  Agency 
(NSAj.^The  Treasury  Department  is  respon¬ 
sible  for  collecting  information  related  to  ft 
nancial  concerns,  monetary  information,  and 
foreign  economic  information.  The  Treasury 
Department  is  authorized  only  to  collect 
“overt”  information.81  Overt  information  collec¬ 
tion  is  considered  to  be  the  gathering  of  data, 
where  the  target  of  the  data  collection  is 
aware  that  they  are  giving  information  to  the 
government  agency  which  is  engaged  in  the 
collection  activity.82  The  State  Department 
conducts  information  relevant  to  US  foreign 
policy.  Like  the  Treasury  Department,  the 
State  Department  is  normally  limited  to  cot 
lection  of  only  overt  information?3 

All  executive  agencies  are  generally  pro¬ 
hibited  from  participating  in  secret  opera 
tions  unless  they  obtain  approval  from  the 
agency  and  the  attorney  general.  Even  then, 
the  activity  can  only  be  undertaken  as  part  of 
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a  lawful  FBI  investigation  or  when  the  target 
of  the  surveillance  is  composed  primarily  of 
people  with  foreign  allegiance  and  the  in 
vestigators  must  reasonably  believe  that  the 
target  organization  or  people  are  acting  on 
behalf  of  a  foreign  power.84 

Collection  of  foreign  intelligence  informa 
tion  (data  about  capabilities,  intentions  and 
activities  of  foreign  countries,  organizations, 
and  persons)85  is  permissible  in  the  United 
States,  and  it  must  be  gathered  by  the  FBI  or 
an  intelligence  component  (with  some  profit 
bitions)  and  may  not  be  collected  if  the  pur 
pose  is  to  acquire  information  about  an  indt 
vidual’s  domestic  activity.  Collection  of 
intelligence  data  is  allowed  in  international 
terrorist  or  international  drug  investigations, 
if  needed,  to  protect  a  person  or  an  organ* 
zation.86  Collection  of  information  to  protect 
US  (or  foreign)  intelligence  sources,  or 
methods  of  collecting  such  information,  is 
also  permissible.87 

The  FBI  is  permitted  to  collect  information 
in  the  United  States  if  the  efforts  are  to  protect 
intelligence  sources  or  methodology  from 
unauthorized  disclosure.88  An  intelligence 
component  may  only  collect  information  re 
garding  employees  or  contractors.89  It  may 
also  collect  information  on  past  or  present  em 
ployee  applicants.  If  the  intelligence  compo 
nent  is  within  the  charter  of  the  government 
agency,  it  may  collect  information  about  peo 
pie  that  it  reasonably  believes  to  be  potential 
sources  or  contacts.  Such  surveillance  is 
deemed  necessary  to  determine  their  credibit 
ity  or  suitability  for  utilization  as  contacts® 
Overhead  reconnaissance  not  specifically  d+ 
rected  at  US  persons  is  also  allowed,  as  is  in 
formation  about  security  investigations  of 
personnel  or  communications  security?1  Infor¬ 
mation  incidentally  obtained  that  indicated  in 
volvement  in  a  crime  is  permitted  as  well?2 
Lastly,  information  may  be  obtained  by  an  au 
thorized  component  or  unit  if  it  is  “necessary 
for  administrative  purposes. Although  this 
sounds  like  a  euphemism  for  a  carte  blanche 
authorization  for  the  DOD,  it  would  be  unlikely 
for  the  National  Security  Authority  (the  prest 
dent  acting  through  the  secretary  of  defense) 
to  approve  such  an  operation  without  a  valid, 
necessary  administrative  reason?* 


The  DOD  is  not  exempt  from  normal 
“civilian”  rules  that  govern  the  conduct  of 
computer  operations.  This  is  to  say  that 
there  is  no  exemption  from  the  US  Constitu 
tion  or  various  federal,  state,  or  foreign  crim 
inal  laws.  The  restrictions  upon  intelligence¬ 
gathering  operations  must  satisfy  the 
restrictions  placed  upon  the  activity  by  the 
rules  of  criminal  law,  foreign  criminal  laws, 
and  international  treaties.  For  information- 
warfare  purposes,  this  restriction  is  by  far 
the  most  onerous,  as  outlined  in  the  criminal 
law  section  discussed  earlier  in  this  article. 

Conclusion 

My  paradigm  for  analysis  of  these  issues 
incorporates  a  criminal  law  “default.”  That  is 
to  say,  any  analysis  regarding  information 
defenses  or  back  hacking  must  be  viewed 
from  a  criminal  law  perspective — at  least 
until  the  source  of  the  intrusion  can  be  iden 
tified.  We  must  not  act  in  any  way  that  would 
damage  the  unauthorized  intruder’s  com 
puter  or  any  intermediate  systems,  as  we 
would  not  yet  be  able  to  ascertain  the  risks 
of  taking  affirmative,  aggressive  action 
against  the  intrusion.95  Once  we  have  deter¬ 
mined  the  identity  of  the  unauthorized  in 
truder  or  the  origin  of  the  intrusion,  we  can 
better  determine  who  must  respond  and 
how.  Exactly  how  we  proceed  from  that  point 
depends  upon  the  location  of  the  hacker  and 
an  assessment  of  the  potential  collateral 
damage. 

If  the  intrusion  is  by  a  US  citizen  or  milt 
tary  hacker,  then  the  investigation  and  re 
course  are  undertaken  by  the  appropriate 
government  agency  such  as  the  FBI,  CIA,  or 
Secret  Service.  If  the  intruder  is  not  a  citizen, 
but  constitutes  a  foreign  power,  then  the  FBI 
or  CIA  with  DOD  support  would  be  the  likely 
agencies  to  resolve  the  issue.  All  applicable 
international  laws,  treaties,  and  criminal 
laws  would  clearly  apply. 

During  wartime,  however,  DOD  is  given 
wide  latitude  to  undertake  intelligence-gather 
ing  activities.  During  such  times  of  conflict,  the 
paramount  concern  would  be  national  secu 
rity.  Many  of  the  international  customs  and 
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treaties  are  simply  disregarded  during  time  of 
war,  subject  to  some  limitations  (such  as  con 
tinued  adherence  to  the  Law  of  Armed  Con 
flict).  If  covert  operations  in  the  interest  of  na 
tional  security  are  planned,  then  the  traditional 
criminal  rules  would  not  strictly  apply,  as  pros 
ecution  of  offenders  would  probably  not  be 
contemplated.  At  that  point,  we  would  be  more 
interested  in  ensuring  our  national  security  in 
stead  of  future  potential  prosecution  of  crimt 
nal  offenders.  Of  course,  such  disregard  of  in 
ternational  agreements  will  only  happen  when 
directed  by  the  very  highest  levels  of  our  gov 
ernment,  and  only  after  the  ramifications  and 
repercussions  of  such  activity  is  thoroughly 
examined.  This  rapidly  evolves  into  an  issue 
that  emphasizes  the  political  dimension  and 
relies  upon  motivations  rooted  in  domestic 
and  foreign  policy;  it  is  not  necessarily  guided 
or  constrained  by  the  law. 

Although  this  analysis  framework  seems 
vague,  the  issue  can  be  resolved  by  always 
resorting  to  a  criminal-law  default.  Once  the 
system  intruder’s  identity  is  known,  we  will 
be  better  able  to  assess  the  relative  merits 
of  our  response  alternatives.  If  the  intrusion 
occurs  in  time  of  war,  then  the  rules  by  which 
we  play  are  slightly  altered  in  the  best  inter 
ests  of  national  security.  If  the  issue  is  one  of 
covert  operations,  then  entirely  different 
rules  apply,  as  outlined  above. 

Information  warfare  techniques  are  best 
viewed  as  another  instrument  of  foreign  pot 
icy  from  an  LOAC  perspective.  The  prob 
lematic  aspect  of  this  conclusion  is  that  the 
above-mentioned  treaties  and  criminal  laws 
would  likely  prohibit  the  bulk  of  the  most 
technologically  effective  techniques  from 
being  used,  particularly  during  peacetime. 

There  are  many  aspects  of  “cyberlaw” 
that  are,  as  yet,  still  unclear.  These  uncer 
tainties  must  be  resolved.  If  a  nation  takes 
advantage  of  the  ambiguities  that  exist,  the 
time  to  resolve  the  issues  may  be  upon  us 
before  we  are  prepared  to  address  them. 
Under  such  circumstances,  it  is  unlikely  that 
we  would  obtain  the  result  that  would  be  in 
our  best  interests.  The  United  States  should 
seize  the  initiative  on  these  issues  and  pro 
vide  guidance  and  leadership  that  would 


help  ensure  that  the  ambiguities  are  re 
solved  properly  and  in  the  best  interests  of 
the  United  States. 

It  has  been  clearly  demonstrated  that  we 
are  not  giving  the  issue  of  computer  system 
vulnerability  adequate  attention.  From  the 
neglected  systems  themselves  to  the  ne¬ 
glected  system  administrators,  we  seem  to 
be  passively  enabling  the  hackers,  crackers, 
and  miscellaneous  unauthorized  intruders  to 
accomplish  their  goals.  We  must  enhance 
the  security  of  our  systems  and  provide 
those  involved  in  the  operation  of  the  sys 
terns  with  the  recognition  and  training  that 
they  deserve.  We  realize  our  systems  are 
shockingly  vulnerable  and  must  act  much 
more  quickly  than  we  seem  to  be  doing  to 
rectify  this  unfortunate  situation. 

Despite  the  problems  that  we  have  expe 
rienced,  the  United  States  (particularly  the 
United  States  military)  seems  to  be  increas 
ingly  proactive  in  taking  decisive  action.  As 
vulnerable  as  we  appear  to  be,  it  seems  that 
we  are  still  on  the  cutting  edge  in  addressing 
information  warfare  and  global  cyberspace 
issues.  The  Council  of  Europe  has  recom 
mended  that  we  standardize  our  criminal 
procedures  to  facilitate  the  tracking  of  inter 
national  hackers,  and  we  must  seize  the  ini¬ 
tiative  to  properly  influence  the  drafting  and 
implementation  of  effective  international 
agreements  as  soon  as  practicable.  At 
though  other  countries  recognize  the  prob 
lems,  it  seems  that  we  (the  United  States) 
remain  as  the  leaders  in  the  realm  of  cyber 
law  and  in  recognizing  its  importance  in  the 
information  age.  The  present  and  future  cost 
of  losing  our  position  of  leadership  in  this 
area  may  be  beyond  calculation.  It  is  imper 
ative  that  we  remain  on  the  cutting  edge, 
both  in  ensuring  the  responsiveness  of  da 
mestic  law  and  international  agreements  to 
the  emerging  technologies  encountered  in 
the  on-line  world;  we  have  a  chance  to 
shape  the  very  substance  of  future  cyberlaw. 
If  we  fail  to  do  so,  we  must  become  content 
to  live  under  global  treaties  and  practices 
that  may  not  be  wholly  to  our  liking.  We  can¬ 
not  afford  to  lose  this  unique  opportunity.  ■ 
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fond  of  it. 


— Robert  E.  Lee 


